So how exactly both Spectre and Meltdown work?

Both take advantage of or rather rely on concepts such as high-speed timing measurements.

They use these measurements in order to detect private and/or sensitive information.

Security researchers and engineers, somewhat counterintuitively, had to come up with patches which would actually decrease the pace at which some computations worked.

During the process researchers also found out that Spectre and Meltdown vulnerabilities took advantage of seemingly mundane and unimportant computations.

Moving forward from that, the first thing that security researchers had to take care involved slowing down the related performance API for various web browsers.

As mentioned just now, Mozilla did it before anyone else.

The problem with performance API was simple enough.

It previously had the ability to analyze all the behaviors related to a page at a very fast speed.

These speeds were fast enough for hackers to use the API to launch an attack.

But researchers also had to make another change.

This change had them remove SharedArrayBuffer.

What is SharedArrayBuffer?

Think of it as a data structure.

But of a new kind.

Atop SharedArrayBuffer hackers could rebuilt similar timers with the most trivial of techniques.

Again, Mozilla took the lead in fixing this issue as well.

Microsoft implemented similar changes to its own browsers (Internet Explorer and of course, Edge) soon enough.

WebKit also got in on the act because it represented a tool that allowed everyone to view the web.

Many web browsers use WebKit in fact.

These vulnerabilities don’t have any simple and straightforward solution.

Developers have used WebKit to build web browsers such as Mobile Safari, Safari, the Android browser along with many other dedicated web browsers which come embedded in a ton of mobile devices and otherwise.

At the time of writing this report, SharedArrayBuffer is now gone.

In other words, all major web browsers have disabled SharedArrayBuffer by default.

One could say that all these browsers basically backpaddled on some of the most established features on the web.

But they had to do it.

Security exploits such as Spectre and Meltdown had made it necessary to do so.

One can’t ignore the fact that it was unexpected and strange though.

The thing readers need to understand here is that the web, for the most part, is actually a decentralized specification among various other things.

To put it another way, it represents an agreement about how we should build things.

But that’s not all.

The web also tells us how should we run the things that we have built.

So it is just not enough to come up with new features.

They should have meaningful existence on the internet itself.

That’s why standard bodies along with web browsers and developers have to, first, come to a common understanding about how the web should or would work.

Once an entity (person, developer team) adds some new feature to the above-mentioned agreement, no one can remove it.

Why is that?

Vulnerabilities like Meltdown and Spectre will eventually change the way we view technology advancements.

Because no one really has an idea what new problems the new addition may give rise to.

Moreover, it is even more difficult to know in which sections andor far flung corners the new problems may appear.

Bits And Beyond

The temporary solution required engineers to immediately decrease the speeds of online timing measurements and processors.

Thereby, in the process of fixing Spectre and Meltdown vulnerabilities engineers and security researchers had to reverse the advanced that everyone thought we had made both with the overall sophistication of the online world (the web) as a useful platform and the hardware.

Likewise, we have also seen how disruptive ideas can manage to attain a pace that can successfully manifest itself outside the silicon.

For example, in the city of New York, Uber’s market dominance and reach emerged at a rapid pace.

It was rapid enough to quickly capitalize on the then ongoing financial problems of the city’s subway system.

Airbnb saw similar success come its way after the barriers to proper home ownership kept on going higher for the country’s modern middle class.

But regardless, security vulnerabilities may substantially erase its real-world benefits in terms of performance.

Especially after engineers tame security vulnerabilities like Spectre and Meltdown.

On a side note, in this context, the rather long-standing computing trope should cause even more concern.

That trope goes along the lines of “it is all just zeroes and ones.”

One needs to really think about it.

Are we really only talking about bits once we know that these same bits are responsible to drive our 3D printers, drones and our robots?

We live in a world today where new technologies are able to manifest themselves in the actual/real world.

Why is that?

Well, despite all the progress that the online world has made in the last decade our so, the simple truth is the real world is where most of the “real” money is.

Perhaps this is also a good time to mention that, in one way, Bitcoin (the cryptocurrency and all its auxiliary industries such as coin mining) melts the earth’s polar ice caps as well.

Let’s expand the scale for a bit now.

Let’s expand it to the mind-boggling scale of the cosmos.

What we mean to say here is that security vulnerabilities such as Spectre and Meltdown will eventually affect our innate ability to edit (and sometimes create) organisms.

Now, let’s just jump onto a level that is more tangible.

The truth we need to come into grips with is that security vulnerabilities such as Spectre and Meltdown have actually decreased the previous operational speeds of both online timing measurements and processors.

In the process of doing so, they have reversed the advances we, as people, thought we had made both in the general complexity of the internet as a reliable platform and the hardware that we use today.

Some would argue that in both of the above-mentioned fields, we had actually put ourselves (quite literally) in a race whose finish line would have lead us to something terrible.

The thing we need to realize right now is that we, as a community, have built technology a bit too quickly.

Too quickly, even for our own good.

The technology is more real than ever before.

It is now quantifiable in real dollars and of course, microseconds.

And we have made use of a wide range of metrics and tools to achieve our goals even though features such as SharedArrayBuffer have gone away and are no longer around to perform and take those measurements for us.

Any technology that seeks to change and/or reshape our existing infrastructure deserves a list of things.

Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.

Disclaimer:

This website and its content (including links to other websites) are presented in general form and are provided for informational purposes only. Please seek legal advice for all topics you wish to follow on with.